Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0436 Red Hat Data Grid 8.1.1 security update 9 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Data Grid 8.1.1 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-26217 CVE-2020-25711 CVE-2020-25644 Reference: ESB-2021.0381 ESB-2021.0328 ESB-2020.4430 ESB-2020.4413 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:0433 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Data Grid 8.1.1 security update Advisory ID: RHSA-2021:0433-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2021:0433 Issue date: 2021-02-08 CVE Names: CVE-2020-25644 CVE-2020-25711 CVE-2020-26217 ===================================================================== 1. Summary: A security update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is a distributed, in-memory data store. This release of Red Hat Data Grid 8.1.1 serves as a replacement for Red Hat Data Grid 8.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644) * XStream: remote code execution due to insecure XML deserialization when relying on blocklists (CVE-2020-26217) * infinispan: authorization check missing for server management operations (CVE-2020-25711) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Refer to the Data Grid 8.1 Upgrade Guide for instructions on upgrading to this version. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL 1897618 - CVE-2020-25711 infinispan: authorization check missing for server management operations 1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists 5. References: https://access.redhat.com/security/cve/CVE-2020-25644 https://access.redhat.com/security/cve/CVE-2020-25711 https://access.redhat.com/security/cve/CVE-2020-26217 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=8.1 https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html/upgrading_data_grid/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCE08tzjgjWX9erEAQiczA//cBXSGydb50uqm54n7mRr650w/tX/KeGy IFa++dkIoJP5aF+nkK46Z+WqSpO+TnPcq4QgOHT0z2211J8smOk1UwRzarogrR+I WkfzO4+r/2oAYJHF9vB8wlYbnFIqaOqCu3MwO+1a58A2ECOZXAKs4EivEMdcvp1+ 7VbnMU2GsgZUvVMsRPRitTJGkkL14UwYP/MZCHQRfdbrbOopjjSYCUt1hzpFmPIu 4tJCvkArKIHksXdBtbb+Y+PFop05hySRDp8ed1bJPcD8+6Lv8ezVh/i1YMdBFJ7F Nq6T7g3InpueJflvfLooZ6Nlf8T+Ar8Dsv6e+6kmSpUQPxgAZJEeNSZBdvbRwVIE O8YqK4nWxxi5R1YehjuR4ax42D3rv+ZWuL8pmr90uDMcmpCp4uM8SEfmEkbhyeVQ UMYmv9oJW2oayvGlKvCkdFoLcN6kdkLmHIAPqdh8QnyuG6GlAxozsJ+566k4gWgI HYLY62IOBHbsBE9dzCIqBSk3/+GvGmnzdEQd+R6a/xRmQ83In2J6BzGbZkzkOvUj 4rqS74Q2YV+hG4PRtlRO9EDolYOLARMW1qJQrWtbwdgXDt9mjPEPXw9FoHpUYitz c0wPDE5hbdp8uwarYP7SuHXLRrCBedHx0reGQyHzBtrJtfqRPWVKd43jeUkUt22R R/ZChTj5mZQ= =m0Gn - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYCIOseNLKJtyKPYoAQjoKA/9ExJiLBnwmYFvXsazl2JyXAEHvUmBkVg2 C71J8+5UE8PvgJnFXDkd4PU39LT/ME4EPKtW6lfG3t3TJ1tz/l7b3SdfqMER+LSz 6Y4R+fndbt3yXw7r3Dl5Jpy0hjsrG6dQ4KHk5kv8vnqubGx6jwwmNvgdEbnxAMEe HO4LxEFxEGOjJTzuNy+ShzLN90YX6SD0vmfoqsNmIKtjH+OPtTpq0VP2Zzw1gEEt QLW2GoEv4c19R3w9cpJrqcPtHkPm4Dvo4UGjYtylc5NAs0AJDt0ExTKJ3wJtaYy3 hqwlegPY77Th4xGZ07U1CSLrpxHh1QuMEiyPy8WapzsQMZfRL7QUxM5ELMrHHZ0J y43mtMbyezJ2kinTaR0UdH4tDbqHB390j68QAMskPF9z1GJ0QwryZGlMuf6TBZPQ kvsTXd8rxMH9XsTPIGXCehK1/C9h2Ja3K9eVsGd51RdGcS3nqxlcipVs7tqSDqAB NFmpi9A2XPmDVRW+BHIEzz02Cyvwpg/XkLx1UO9BX317dwrxqijtbQ9NR5d48yMv zc0fDXVYQQunuOuklqXsKxVS9t5NZixuCJXGD11IBKdTQZ85zXhF887bavsMVlEs UiIeM7ifHX9zxHW95Y/bpiDAkYm9VnaJnZbU1VlepJ7zEgQBRWZxmFyyWIEDGxG5 Wvict1iPp8Q= =IFjU -----END PGP SIGNATURE-----